Verifying existing binaries with new sbsigntool: # wget http://archive.ubuntu.com/ubuntu/dists/bionic/main/uefi/fwupdate-amd64/current/fwupx64.efi.signed # wget http://archive.ubuntu.com/ubuntu/dists/bionic/main/uefi/fwupdate-amd64/current/control/uefi.crt # sbverify --cert ./uefi.crt ./fwupx64.efi.signed warning: data remaining[63352 vs 71400]: gaps between PE/COFF sections? Signature verification OK
# wget http://archive.ubuntu.com/ubuntu/dists/bionic/main/uefi/fwupdate-i386/current/fwupia32.efi.signed # sbverify --cert ./uefi.crt ./fwupia32.efi.signed warning: data remaining[54648 vs 63512]: gaps between PE/COFF sections? Signature verification OK # wget http://archive.ubuntu.com/ubuntu/dists/bionic/main/signed/linux-amd64/current/signed.tar.gz -O linux-signed.tar.gz # tar xvf linux-signed.tar.gz # sbverify --cert uefi.crt 4.15.0-20.21/vmlinuz-4.15.0-20-generic.efi.signed warning: data remaining[8249064 vs 8249080]: gaps between PE/COFF sections? Signature verification OK # sbverify --cert uefi.crt 4.15.0-20.21/vmlinuz-4.15.0-20-lowlatency.efi.signed warning: data remaining[8298216 vs 8298232]: gaps between PE/COFF sections? Signature verification OK # wget http://archive.ubuntu.com/ubuntu/dists/bionic/main/uefi/grub2-amd64/current/grubx64.efi.signed # sbverify --cert uefi.crt grubx64.efi.signed Signature verification OK # wget http://ports.ubuntu.com/dists/bionic/main/uefi/grub2-arm64/current/grubaa64.efi.signed # sbverify --cert uefi.crt ./grubaa64.efi.signed Signature verification OK All existing bionic signatures validate correctly. Thus the problem is really induced by gaps/ordering of the .sbat & .data sections, on arm64 with the very new sbat-capable binaries. ** Tags removed: verification-needed verification-needed-bionic ** Tags added: verification-done verification-done-bionic -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1921387 Title: launchpad signing shimaa64.efi fails to validate To manage notifications about this bug go to: https://bugs.launchpad.net/launchpad/+bug/1921387/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
